nanog mailing list archives
Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)
From: Valdis.Kletnieks () vt edu
Date: Tue, 22 Jan 2013 13:24:16 -0500
On Mon, 21 Jan 2013 23:23:16 -0500, Jean-Francois Mezei said:
This article may be of interest:http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/Basically, a Montreal student, developping mobile software to interface with schools system found a bug. Reported it. And when he tested to see if the bug had been fixed, got caugh and was expelled. I the context of this thread, they found a vulnerability in the web site's archutecture that allowed the to access any student's records. This is the perfect type of incident you can bring to your boss to justify proper architecture/security for your web site. "How would you react if it was your company's name in the headline ?"
The interesting part is where the same people who were totally unaware that they had a major security hole until it was pointed out to them were also able to issue a very fast blanket denial that any student's information was in fact compromised. Sure, you can check your logs for the footprint of the attack - but apparently this wasn't actually being done before the student mentioned it to them.
Attachment:
_bin
Description:
Current thread:
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...), (continued)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jimmy Hess (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 21)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 21)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Scott Weeks (Jan 21)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jean-Francois Mezei (Jan 21)
- Re: Security reporting response handling [was: Suggestions for the future on your web site] Matt Palmer (Jan 22)
- Re: Security reporting response handling [was: Suggestions for the future on your web site] Suresh Ramasubramanian (Jan 22)
- Re: Security reporting response handling [was: Suggestions for the future on your web site] Alain Hebert (Jan 22)
- Re: Security reporting response handling [was: Suggestions for the future on your web site] Jimmy Hess (Jan 23)
- Re: Security reporting response handling [was: Suggestions for the future on your web site] . (Jan 23)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jean-Francois Mezei (Jan 21)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Valdis . Kletnieks (Jan 22)